Router "security"!

[SiegeTank]

I help out an elderly neighbor from time to time. He has Internet, which he uses on one WIRED connection to Verizon DSL to visit Drudgereport.com and wait for emails from his nephews who almost never write him. That's about all he does.

He was using a Westell 6100 modem from 2007 which worked well but evidently started having problems, probably due to a power surge. So he called Verizon and, after trying to get him to upgrade his Internet speed (for more money, always a priority for Verizon CS, even when talking with old folks on a tight budget) they finally just offered to send him a new D-Link DSL-2750B Wireless Gateway. Then he called me to help him set it up.

This kind of thing is pretty straightforward, if you're at all technically literate. But he isn't so I helped. Now he doesn't want OR need Wireless so I configured it with wireless disabled. What kills me is the router has a push button on the back which, when pressed, completely overrides the router's software configuration, enabling wireless. What's really lame is that the default settings are not close to maximally secure. So this forced me to entirely configure the wireless, hiding the SSID broadcast, lengthening the WPA2 key from the default 16, adding MAC address filtering (his ONE system) and just generally tightening it up as if he were going to use it.

What's annoying is there is no way a button on the box should override software settings. The button should be a way to temporarily disable wireless on a system where the software has enabled it. NOT the other way around! It would be so easy for my aged friend to accidentally press that button. Yeah, the WLAN light would come on the front but it's pretty subtle and he wouldn't be paying any attention to the lights anyway.

I'm doubly annoyed because this reminds me that companies like Verizon ALWAYS operate to maximize their profit and minimize how much personal contact they need to have with their customers. Some exec made a business decision that if an old guy loses financially because he gets hacked due to a situation like this, it's less likely to affect Verizon financially than the cost of dealing with multiple customers who don't understand that pressing the WLAN button on the router won't override the software setting, which SHOULD be disabled by default---a conservative setting that PROTECTS their customers.

Yeah, you can call me naïve if I expect companies would look out for their customers' welfare. But I can dream, right?

Opinions?

 

[Zero0003]

Well.... If you want my 2 cents its not for your cause.

People take internet security to the extreme. Is it Needed? No. Unless you got something top secret or really trying to hide then it is a big waste of time. The casual WPA security should be fine, is it the most secure? No, but for an average person just to get internet should be fine.

Most all in one wireless router/modem have a generic SSID and passcode for the wireless that is on a sticker on the device. Resetting it will default back to those settings and that is normal as it give Tech Support a little more guidance to help the user.

User calls in about internet issues
Tech says press the button and hold it down for setting default settings
Tech says Once done connect to the internet with the SSID and wireless on the side of the mode/router
DONE!!

Locking it down to MAC address filtering, hiding SSID, turning off wireless, setting the most secure firewall, blah blah list goes on is just limiting yourself to the world of technology out there. If someone from his family visit him and wanted to use the internet or wireless... OOPS sorry can't. Why even limit yourself to that where it has to force a more technical person to come back to turn stuff on that should of been turned on in the first place.

Might want to step outside that little box of yours and take in the new technology out there as more and more devices use wireless techology.

 

[SiegeTank]

Well.... If you want my 2 cents its not for your cause.

People take internet security to the extreme. Is it Needed? No. .

That says it all. THIS in a world where millions of people have already had their identities stolen, to great harm to themselves at least in terms of time and aggravation, if not $$$, while entrusting their personal data to companies like Target, Sony, AOL, Google, etc., etc.

Did you hear a bunch of physicians in MA and NH have discovered their most recent tax returns have been filed by hackers, evidently redirecting their refunds to the hackers' accounts? Evidently this had something to do with entrusting their personal info to some physician service website which was probably running OpenSSL (wild guess on my part, could have been any of dozens of security holes.)

The old guy's nephews hardly ever e-mail him. Not likely they'll visit. If they do I'd be happy to add their MAC address to the whitelist.

You're also confirming the reason for this approach by ISP providers: what matters is what's easiest for the ISP and their service techs---NOT what's BEST for the customer. But we both knew that already!

 

[Zero0003]

Your mixing Residential Internet with Business world.

Identity Stolen?? Really and bringing up big big stores.

Lets See
Target... hacked.
Sony.... Hacked
Amazon... Hacked

Could the Residential Users have done ANYTHING different on their end to block their identities being stolen? No Well..... Yes but that would require the person not to use ANY credit carts, not shop online, and not browse their website any way

 

[JDEKnox]

Zero0003 - Please visit my website https://somestupidwebsitethatdoesn'texist.com (we are secure and using the latest version of SSL)

only what you didn't know is that the SSL Heartbleed bug works in reverse. So clients are affected and now you've just given me PII(personally identifiable information) and you're in a pretty bad situation.

Now even though this example has nothing to do with securing wireless, anything an end user can do to protect themselves they should be doing. If it means having a friend beef up your wifi or completely turn it off, you absolutely should.

Don't go around saying that securing your wireless isn't a smart thing to do. Script kiddies are going around stupidly waving their l33t sk1llz around in the air saying look what i can do to this poor old fuck who didn't secure his wireless connection strong enough.

Protecting PII should be top priority for anyone wanting to surf the web.

I personally have done a terrible job of it over the years and am seriously regretting the amount of backtracking I've had to do.

 

[Chase369]

So since we are on the internet security topic.... What kind of software do you smart tech guys suggest?

Sent from my SCH-I535 using Tapatalk

 

[JDEKnox]

Honestly most of it sucks~

Microsoft Security Essentials is actually decent. Especially for a non-managed solution. Biggest problem is a lot of people disable it.

Malware Bytes has a pretty good definition database and is kept up to date. (I use this pretty often for cleaning up a machine, though most of the time we end up rebuilding the machine because we can't risk anything being left on it.)

but the one thing that'll save your hide most of all is just being vigilant about where you're downloading from and what you're installing.

CNET as a download source has really gone downhill in the last 2 years... half the shit they host is malware, and imo they don't do a very good job at cleanup.

If you're trying to get rid of adware shit, Revo Uninstaller is pretty good at digging deep with a simple user interface. Finds a lot of registries that you'd otherwise miss.


And please don't misunderstand me, they're are likely better programs out there. This is just what i've come across and seems to work well.

 

[burdsjm]

Spybot Search and Destory

Chocolately to keep things up to date

Clamav for AV.

 

[SiegeTank]

I use Norton 360, Malwarebytes, SuperAntiSpyware and HouseCall as an extra scan.

MWB's latest engine, 2.0, has some bugginess. They're working on it and I think they'll get it fixed, cuz it's a decent company, but it troubles me because this is a recurring pattern with a lot of software companies: as they grow their software turns to shit either because they spend too much money on marketing and not enough on development OR they just load it up with so many add-on bells and whistles that they lost track of their core purpose.

Hijackthis is useful but unfortunately you gotta know what you're doing with it, not a utility for novices.

I do agree that being super-cautious about downloads and email links and attachments, along with running in standard mode (as opposed to admin, does ANYONE need to be told this anymore lol?) is more than half the battle. Plus obvious stuff like keeping Windows updated.

I like running browser and programs "sandboxed" as much as possible. Check out sandboxie.com. The theory is browsing sandboxed means nothing bad you download can affect your physical hard drive since the sandbox forces it to "install" in a temporary virtual space and it all goes away when you close the sandbox. I'm sure there's a flaw in this theory somewhere but it makes sense to me, for what it's worth.

And keep in mind nothing is guaranteed. Both Mac and Linux users historically have claimed they don't need anti-virus software but I think those myths can be shit-canned now.

/ducks

 

[rob]

Look up 'reaver'. It's a method for brute forcing WDS. I believe it's just a 6 digit number. Less than 100k options, and if you're close enough, you can get the password to the router in minutes....

 

[SiegeTank]

Look up 'reaver'. It's a method for brute forcing WDS. I believe it's just a 6 digit number. Less than 100k options, and if you're close enough, you can get the password to the router in minutes....

Wow, one writeup says it's as little as 11k numbers to check since the key is sent in two parts, 4 digit and 3 digit, so max possibilities are 10,000 + 1,000.

And then it's claimed that on some routers disabling WPS ("Wi-Fi Protected Setup, not "WDS") does NOT really disable it so they suggest checking if WPS still provides access even AFTER disabling it. ROFL. Where is the corporate responsibility of these router manufacturers here?! That's what I mean about them looking out only for themselves and NOT the consumer altho here this kind of irresponsibility is almost sure eventually to throw shit all over the company once a class action lawyer gets involved. But the problem with that is that most execs are willing to tolerate that kind of risk if it means saving money because they rationalize that when the shit hits the fan they'll have been promoted out of the position affected OR have moved on to another company by then. It's the U.S. corporate "quarterly mentality" which dictates that only issues affecting the next quarter's bottom line are worth worrying about because those issues have the short-term impact on stock prices.

Scary shit.

"Just cuz you're paranoid doesn't mean that they aren't out to get ya."

 

[Nicedreamsbt]

most newer routers will block you when using reaver now. You can add a delay to your attempts but we are talking like 3 mins on some routers. And if you have to many failed attempts in a short time it will turn off wps or just block you. Wifi security is important i think. I just moved into a new apartment building and everyone has there routers locked up tight. So yes in my jealous rage i will run mdk3

 

[rob]

Reaver is scary. If you have the ability to change your mac, or have time...you can still break into stuff. WPS shouldn't be on.

 

[SiegeTank]

WDS or WPS? These acronyms get confusing. LOL.

I thought WPS ("Wireless Protected Setup") is what gets hacked by reaver and you can block this by shutting it off in your router.

Definitely scary stuff...

 

[rob]

woops, sorry. WPS. WDS is something completely different and nifty. But yeah...i'm sure most people haven't patched their routers if it's been working fine.